Parliamentary Committee Notes: Cyber Security and Protecting Canada's Critical Infrastructure

Bill C-26: An Act Respecting Cybersecurity (Parliamentary Committee Binder)

Date: July 27, 2023
Classification: Unclassified
Fully releasable (ATIP)? Yes
Branch / Agency: NCSB/PS

Cyber Security and Protecting Canada's Critical Infrastructure

Issue: Protecting critical infrastructure against cyber threats from hostile state actors and cybercriminals is an essential component to cyber security and resilience, which is vital to national security and public safety.

Proposed Response:

• Malicious cyber activities targeting the cyber systems that underpin critical infrastructure are a constant concern for businesses, individuals, and governments in Canada.
• The Government of Canada takes the security of our critical infrastructure seriously. Since 2018, Canada's National Cyber Security Strategy has been the roadmap for Canada's path forward on cyber security and has inspired steady progress in the development of resilient systems, innovation, and national cyber coordination and collaboration.
• The Government of Canada is working to enhance the cyber security of the country's critical infrastructure through the identification of cyber threats and vulnerabilities, and by preparing for and responding to cyber incidents.
• For example, Public Safety Canada's Cyber Security Assessment tools help owners and operators of Canada's critical infrastructure evaluate their cyber security maturity against established benchmarks and by peer comparison, while also offering concrete guidance on how they can become more cyber-resilient.
• Public Safety Canada also delivers programs focused on industrial control systems for critical infrastructure, which refer to the devices and software that operate or automate processes at facilities such as waste water treatment plants and power stations.
• For example, Public Safety Canada hosts the Industrial Control System Security Symposium series for critical infrastructure stakeholders as well as online foundational security awareness session and technical workshops on cyber incident awareness and handling.
• Public Safety Canada also coordinates and delivers cyber-based exercises for the critical infrastructure community to test and develop capabilities to respond to, and recover from, malicious cyber activities. More broadly, the Department promotes communication and collaboration with the critical infrastructure community to raise awareness of cyber threats and risks, including with our international partners.
• The Communication Security Establishment's Canadian Centre for Cyber Security works with other government departments, the private sector, and academia to enhance the cyber resilience of critical infrastructure in Canada. The Cyber Centre shares valuable cyber threat information, best practices, and technical guidance with Canadian critical infrastructure owners and operators. The Cyber Centre also develops threat assessments and provides public and targeted advisories to analyze threats facing critical infrastructure owners and operators and share strategies to mitigate them.
• The evolving threat environment, including hostile activities by state actors, the ongoing Russian invasion of Ukraine, and the pandemic have shown that we must continue to develop new approaches to critical infrastructure security and resilience.
• Recognizing this dynamic landscape, efforts are underway to strengthen Canada's approach to critical infrastructure security and resilience in the face of cybersecurity risks, extreme weather events, supply chain disruptions, and hostile state activity.

Cyber Security and Protecting Canada's Critical Infrastructure Background:

Cyber Security Strategy

Canada's National Cyber Security Strategy (NCSS), published in 2018, has three primary goals – secure and resilient Canadian systems; an innovative and adaptive cyber ecosystem; and effective leadership, governance, and collaboration. The subsequent National Cyber Security Action Plan (2019-2024) lays out the specific roadmap that will allow for the realization of the NCSS' goals.

In the December 2021 mandate letter, the Minister of Public Safety was asked, alongside the Ministers of National Defence, Foreign Affairs, Innovation, Science and Industry, and other implicated Ministers, to develop and implement a renewed NCSS which will articulate Canada's long-term strategy to protect our national security and economy, deter cyber threat actors, and promote norms-based international behaviour in cyberspace.

Industrial Control Systems

There has been a global rise in the number of cyber incidents affecting industrial control systems (ICS) which are devices and software that operate or automate processes at many critical infrastructure (CI) facilities. This is significant as malicious cyber activities targeting these critical systems can cause physical consequences and disruptions to essential assets and services. As part of the aforementioned National Cyber Security Action Plan, Public Safety Canada is leading on several initiatives that will enable CI owners and operators to better secure their systems and information.

Public Safety Canada works to enhance the cyber security of ICS by raising awareness of risks to these systems and enhancing the capabilities of ICS operators through symposiums and technical workshops.

In addition, Public Safety Canada has worked closely with the Canadian Center for Cyber Security (Cyber Centre) to develop the Canadian Cyber Security Tool (CCST and CCST 2.0) which provides Canadian CI organizations with an easy-to-use, online self-assessment tool to strengthen their cyber security posture.

Public Safety Canada also offers Canadian CI organizations more in-depth, facilitated assessments and analysis of their cyber security programs and practices through the Canadian Cyber Resilience Review (CCRR).

Cyber Security Exercises

Public Safety Canada coordinates and participates in national and international cyber security exercises to strengthen readiness and response efforts to potentially disruptive physical and cyber-based events. Through these exercises, CI owners and operators are able to validate their plans, procedures, and processes that enable response, recovery, and continuity of essential services. For example, in March 2021, Public Safety Canada, in collaboration with the RCMP and the Cyber Centre, delivered table-top exercises to examine the response to a ransomware incident, with a focus on strengthening collaboration between government and private sector organizations. In addition, Public Safety Canada recently launched the Cy-Phy Exercise Program which will examine the interconnectedness between the cyber and physical realms through a series of cyber and physical security related exercises, culminating in a large-scale functional capstone exercise in the Fall of 2023.

Foreign Interference

Canada has seen an increase in the frequency and sophistication of hostile activities by state actors (HASA) including by the People's Republic of China (PRC), the Russian Federation, and others seeking to advance their political, economic and security interests to the detriment of Canada's.

Foreign states leverage these activities to advance their strategic interests including: seeking geopolitical influence, economic advancement, revision of the rules-based international order, domestic stability, and military advantage. These activities can be directed at Canadians, or residents of Canada, or against Canadian institutions to advance their strategic interests at the expense of our national interests and values.

Through its mandate to investigate threats to the security of Canada, including foreign interference, CSIS has seen multiple instances of foreign states targeting Canadian institutions and communities. As well, the RCMP is aware that illegal state-backed activities are committed against Canadians and Canadian interests, and investigates these activities further to its mandate. The scope of potential HASA activities can be broad, encompassing a range of techniques that are familiar to intelligence agencies. These include human intelligence operations, the use of state-sponsored or foreign influenced media and disinformation campaigns, and the use of sophisticated cyber tools.

Russian Threat

In light of Russia's invasion of Ukraine, the Communications Security Establishment and its Cyber Centre have strongly encouraged all Canadian organizations, including CI, to take immediate action to bolster their online defences. Canada's Allies have attributed multiple incidents of malicious cyber activities targeting Ukrainian CI sectors to Russia; Canada has issued statements of support, condemning these activities. Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly.

In February 2023, the Cyber Centre published an alert regarding the risk of malicious cyber activity against Ukraine-aligned nations. The alert specifically warns Canadian organizations and critical infrastructure operators to be prepared for the possible disruption, defacement, and attempted exploitation of Canadian networks assets by cyber threat actors aligned with Russian interests. It also recommends actions organizations can take to mitigate risk.

Date modified:

2024-06-04